Jeeves - wook413

#hackthebox #medium #windows #jenkins #keepass #john #hashcat #ADS ![[Pasted image 20250727154507.png]] # Information Gathering - Nmap As always, I began with scanning all TCP ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -Pn -n --open --min-rate 3000 -p- -oN tcpAll Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-27 18:16 UTC Nmap scan report for 10.10.10.63 Host is up (0.046s latency). Not shown: 65531 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 445/tcp open microsoft-ds 50000/tcp open ibm-db2 Nmap done: 1 IP address (1 host up) scanned in 43.89 seconds ``` Performed one more TCP scan against the open ports found: 80,135,445,50000 ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sCV -p 80,135,445,50000 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-27 18:19 UTC Nmap scan report for 10.10.10.63 Host is up (0.046s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-server-header: Microsoft-IIS/10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-title: Ask Jeeves 135/tcp open msrpc Microsoft Windows RPC 445/tcp open microsoft-ds Microsoft Windows 7 - 10 microsoft-ds (workgroup: WORKGROUP) 50000/tcp open http Jetty 9.4.z-SNAPSHOT |_http-title: Error 404 Not Found |_http-server-header: Jetty(9.4.z-SNAPSHOT) Service Info: Host: JEEVES; OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | smb-security-mode: | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2025-07-27T23:19:53 |_ start_date: 2025-07-27T23:11:18 |_clock-skew: mean: 5h00m00s, deviation: 0s, median: 4h59m59s | smb2-security-mode: | 3:1:1: |_ Message signing enabled but not required Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 47.43 seconds ``` And lastly a UDP scan against top 10 ports ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ nmap $IP -sU --top-ports 10 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-27 18:21 UTC Nmap scan report for 10.10.10.63 Host is up (0.048s latency). PORT STATE SERVICE 53/udp open|filtered domain 67/udp open|filtered dhcps 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 1.73 seconds ``` --- # Enumeration ##### SMB - TCP 445 It seems SMB server doesn't allow `null authentication`, I confirmed with both `nxc` and `smbclient` ![[Pasted image 20250727132305.png]] ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ smbclient -N -L //$IP session setup failed: NT_STATUS_ACCESS_DENIED ``` ##### HTTP - TCP 80 ![[Pasted image 20250727132453.png]] Anything you enter in the `search` field seems to directly goes to `/error.html` ![[Pasted image 20250727135841.png]] I tried performing directory-busting but couldn't enumerate any directory for port 80. ##### HTTP - TCP 50000 ![[Pasted image 20250727132701.png]] `feroxbuster` with the wordlist `raft-medium-directories.txt` did not enumerate anything on the port 50000 ![[Pasted image 20250727135816.png]] But `gobuster` with the wordlist `directory-list-2.3-medium.txt` discovered one directory `/askjeeves` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ gobuster dir -u http://$IP:50000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.10.63:50000 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /askjeeves (Status: 302) [Size: 0] [--> http://10.10.10.63:50000/askjeeves/] ``` # Initial Access - Jenkins Groovy Script > Shell as `kohsuke` Navigated to `/askjeeves` and it revealed Jenkins sever! ![[Pasted image 20250727141028.png]] Exploring the website, I discovered `Script Console` where we can type `Groovy Script` and execute it on the server. I tested it and it actually returned the `PATH` env value. ![[Pasted image 20250727141808.png]] Then I headed to `revshell.com` to see if they have a reverse shell payload template for `Groovy Script` and they did! What a legend. The default command prompt was set to `sh` but it was not working, so I changed it to `cmd`. ![[Pasted image 20250727142551.png]] Got the reverse shell! ![[Pasted image 20250727142822.png]] ![[Pasted image 20250727143047.png]] Found `user.txt` in `C:\Users\kohsuke\Desktop` ![[Pasted image 20250727143148.png]] # Privilege Escalation `whoami /priv` reveals the current user has `SeImpersonatePrivilege` enabled. I'll note that. ![[Pasted image 20250727143504.png]] Under `Documents`, I found `CEH.kdbx` file which is an encrypted password db file. ![[Pasted image 20250727144151.png]] I transferred the file to my kali using `impacket-smbserver` ![[Pasted image 20250727144540.png]] As expected the file type is `Keepass password database 2.x KDBX` ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ file CEH.kdbx CEH.kdbx: Keepass password database 2.x KDBX ``` I used `Keepass2john` to covert it into hash ```bash ┌──(kali㉿kali)-[~/Desktop] └─$ keepass2john CEH.kdbx > keepass.hash ┌──(kali㉿kali)-[~/Desktop] └─$ cat keepass.hash CEH:$keepass$*2*6000*0*1af405cc00f979ddb9bb387c4594fcea2fd01a6a0757c000e1873f3c71941d3d*3869fe357ff2d7db1555cc668d1d606b1dfaf02b9dba2621cbe9ecb63c7a4091*393c97beafd8a820db9142a6a94f03f6*b73766b61e656351c3aca0282f1617511031f0156089b6c5647de4671972fcff*cb409dbc0fa660fcffa4f1cc89f728b68254db431a21ec33298b612fe647db48 ``` [hashcat example hashes website](https://hashcat.net/wiki/doku.php?id=example_hashes) tells me I can use mode 13400 to crack it ![[Pasted image 20250727144906.png]] Successfully cracked the hash and obtained password! ![[Pasted image 20250727145434.png]] I installed `keepassxc` , entered the obtained password, and discovered 8 entries. ![[Pasted image 20250727150044.png]] I collected all the passwords found and stored them into `passwords.txt`, which I used for password brute-force attack against `Administrator` user but none of them worked. ![[Pasted image 20250727151841.png]] Then again, the first password entry appeared to be `NTLM` hash. I tried `pass the hash` attack and `netexec` confirmed it's valid and also returned `Pwn3d!` which indicates this has an administrative privilege. ![[Pasted image 20250727152322.png]] Since we acquired an administrative privilege, we can use `psexec` to obtain a shell. ![[Pasted image 20250727152519.png]] `root.txt` usually exists in the path of `C:\Users\Administrator\Desktop` but this machine has `hm.txt` instead and it says "the flag is elsewhere." ![[Pasted image 20250727152555.png]] I used `dir /R` command to display `ADS` (Alternate Data Stream), which is a feature in NTS where you can attach multiple data streams onto one file. The command discovered `hm.txt:root.txt:$DATA` ![[Pasted image 20250727154404.png]]![[Pasted image 20250727154433.png]]